CVE-2025-21857

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: cls_api: fix error handling causing NULL dereference<br /> <br /> tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can<br /> return 1 if the allocation succeeded after wrapping. This was treated as<br /> an error, with value 1 returned to caller tcf_exts_init_ex() which sets<br /> exts-&gt;actions to NULL and returns 1 to caller fl_change().<br /> <br /> fl_change() treats err == 1 as success, calling tcf_exts_validate_ex()<br /> which calls tcf_action_init() with exts-&gt;actions as argument, where it<br /> is dereferenced.<br /> <br /> Example trace:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1<br /> RIP: 0010:tcf_action_init+0x1f8/0x2c0<br /> Call Trace:<br /> tcf_action_init+0x1f8/0x2c0<br /> tcf_exts_validate_ex+0x175/0x190<br /> fl_change+0x537/0x1120 [cls_flower]